module
MS11-050 IE mshtml!CObjectElement Use After Free
| Disclosed | Created |
|---|---|
| Jun 16, 2011 | May 30, 2018 |
Disclosed
Jun 16, 2011
Created
May 30, 2018
Description
This module exploits a use-after-free vulnerability in Internet Explorer. The
vulnerability occurs when an invalid tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
vulnerability occurs when an invalid tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
Authors
d0c_s4vage
sinn3r sinn3r@metasploit.com
bannedit bannedit@metasploit.com
sinn3r sinn3r@metasploit.com
bannedit bannedit@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.